Passwd protection

fatepower

Hello all

I have a question, i have used the google but with no success.
I wonder if its are possible to password protect a php file. I mean when a user sha visit, php-edit.php they need to enter a password before they can use the file.
Is that possible?

Another question is, is it possible to steel cookies and use the cookies for a login? At my site a saw alot of hack attempts who was from my admin account. So i needed to change all the passwords on my server ect ect because he had seen the config.php, so with the php-editor script.

Please help! Thanks in advice.

fatepower

I have now added a password protection,
but for everytime i shall do a new update or change i need to enter the password again. How can i add so the password only needs to be printed once.

Heres the file:

<?php

require_once ("include/functions.php");
require_once ("include/config.php");

dbconn(true);

standardheader('PHP Editor');

if (!$CURUSER || $CURUSER["owner_access"]!="yes")
   {
       err_msg(ERROR,NOT_ADMIN_CP_ACCESS);
       stdfoot();
       exit;
}
else
    {
##########################################################################
$password = "hello";  // Modify Password to suit for access, Max 10 Char.
##########################################################################

if (isset($_POST["password"]) && ($_POST["password"]=="$password")) {

block_begin('PHP Editor');
?>
<html> 
<head> 
<title></title> 
</head> 
<body topmargin="2" leftmargin="1" bottommargin="0" bgcolor="#F9F9FF"> 
<?php 
if (isset($_GET['bestand'])) { 
$bestand = $_GET['bestand']; } 
if (isset($_POST['bestand'])) { 
$bestand = $_POST['bestand']; } 

if (isset($bestand)) { 

if (isset($_POST['verwijder'])) { 
if (unlink($_POST['verwijder']) == TRUE) 
{ $melding = "<b>" . $_POST['verwijder'] . "</b> ". PHP_DELETE_SUCCES . "";  } 
else  { $melding = "<b>" . $_POST['verwijder'] . "</b> " . PHP_DELETE_FAILED . ""; } } 

if(is_dir($bestand)) { 
$dir = "$bestand/"; 
$bestand = "Nieuw.php"; } 
else { $dir = "."; } 
$file_array = array(); 
$filesfound = opendir($dir); 
while ($file = readdir($filesfound)) { 
if ($file != "." && $file != "..") { 
array_push($file_array,$file); }  } 
closedir($filesfound); 
if ($dir == ".") { $dir = ""; } 

if (isset($_POST['inhoud'])) { 
$text = stripslashes($_POST['inhoud']); 
$fopen=fopen($bestand,"w"); 
if (fwrite($fopen,$text)) { 
$melding = "<b>". $bestand . "</b> " . PHP_SAVE_TIME . ": " . date("G:i:s"); } 
else { $melding = "<b>". $bestand . "</b> " . PHP_NOT_SAVED . ""; } 
fclose($fopen); } 
if (isset($melding)) { } else { 
$melding = "<b>" . $bestand . "</b> " . PHP_NOT_SAVED_YET . ""; } 

$curos=strtolower($_SERVER['HTTP_USER_AGENT']); 
if (strstr($curos,"firefox")) { 
if (isset($_GET['mooi'])) { 
$cols = "120"; 
$rows = "6"; } else { 
$cols = "123"; 
$rows = "34"; } } 
if (strstr($curos,"msie"))    { 
if (isset($_GET['mooi'])) { 
$cols = "122"; 
$rows = "6"; } else { 
$cols = "122"; 
$rows = "32"; } } 

?> 

<table border="0" cellpadding="2" cellspacing="0">
	<tr>
		<td width="12%"><form name="Bestand" action="<?php echo "$PHP_SELF"; ?>"><?php echo PHP_CHANGE;?>: </td><td width="60%"><select size="1" name="bestand"> 
<?php 
echo "<option>" . $dir . $bestand . "</option>"; 
while (list($key, $file) = each ($file_array)) { 
echo "<option>". $dir . $file . "</option>"; } 
?> 
</select> <input style="width: 80;" type="submit" name="Submit" value="<?php echo PHP_OPEN;?>"> 
<input style="width: 80;" type="button" onClick="javascript:window.close();" value="<?php echo PHP_CLOSE;?>"> 
<input style="width: 80;" type=button onClick="history.go()" value="<?php echo PHP_REFRESH;?>"> 
</form></td>
		<td width="28%" align="right"><?php echo $melding;?></td></tr><tr><td><form name="PHP" method="post" action="<?php echo "$PHP_SELF"; ?>"><?php echo PHP_PRESENT;?>: </td><td><input type="text" name="bestand" value="<?php echo "$dir$bestand"; ?>"> 
<input style="width: 80;" type="submit" name="Submit" value="<?php echo PHP_SAVE;?>"> 
<input style="width: 80;" type="reset" name="Submit2" value="<?php echo PHP_RESET;?>"> 
<input style="width: 80;" type=button onClick="javascript:window.history.go(-1)" value="<?php echo PHP_BACK;?>"> 

</td><td align="right"> 
<?php if (isset($_GET['mooi'])) { 
echo "<a href=\"phpeditor.php?bestand=$bestand\">" . PHP_CLOSE_HIGHLIGHT . "</a> - "; } else { 
echo "<a href=\"phpeditor.php?mooi=$bestand&bestand=$bestand\">" . PHP_SHOW_HIGHLIGHT . "</a> - "; } 
echo "<a href=\"phpeditor.php?bestand=Nieuw.php\">" . PHP_BACK . "</a> - "; 
echo "<a href=\"phpeditor.php?verwijder=$bestand&bestand=Nieuw.php\">" . PHP_DELETE . "</a> - "; 
echo "<a href=\"$bestand\" target=\"_blank\">" . PHP_WATCH . "</a>"; 

echo "</td></tr><tr><td colspan=\"4\"><textarea name=inhoud cols=\"$cols\" rows=\"$rows\" style=\"font-family: Courier New; font-size: 10pt; border: 1px solid #000000;\">"; 
if (isset($text)) { 
echo htmlspecialchars($text); } 
else { 
$fopen=fopen($bestand,"rb"); 
$output=fread($fopen,filesize($bestand)); 
fclose($fopen); 
echo htmlspecialchars($output); } 
echo "</textarea></form></td></tr></table>"; } 

if (isset($_GET['mooi'])) { 
$fopen=fopen($_GET['mooi'],"rb"); 
$kleur=fread($fopen,filesize($_GET['mooi'])); 
fclose($fopen); 
echo "<br><table border=\"1\" cellpadding=\"2\" cellspacing=\"0\" 
style=\"border-collapse: collapse\" width=\"99%\"  bordercolorlight=\"#000000\" 
bordercolordark=\"#000000\" bgcolor=\"#FFFFFF\"><tr><td width=\"30\" valign=\"top\">"; 
$regels = explode ("\n", $kleur); 
$int = count ($regels) + 1; 
for ($i = 1; $i < $int; $i++) 
{ echo $i . ".<br>"; } 
echo "</td><td valign=\"top\">"; 
highlight_string($kleur); 
echo "</td></tr></table><br></body></html>";
			block_end();
		}
}
	else {
// Wrong password or no password entered display this message
if (isset($_POST['password']) || $password == "") {
  print "<p align=\"center\"><font color=\"red\"><b>Incorrect Password</b><br>Please enter the correct password</font></p>";}
  print "<form method=\"post\"><p align=\"center\">Please enter your password for access<br>";
  print "<input name=\"password\" type=\"password\" size=\"25\" maxlength=\"10\"><input value=\"Login\" type=\"submit\"></p></form>";
} 
	}
?>

roscor

Re Q/1 Add the following to you file this enables only the server to call the script and not someone who enters the file address.

if(eregi(basename(__FILE__),$_SERVER['REQUEST_URI']))
die('Direct access prohibited');

Re Q/2 see this thread

fatepower

Thank you for the reply, the code i posted is allready protected with a password but u need to enter a password all the time you shall change something (post data) when you have entered the file. Theres my question is how to make it so u only need to add your password once?!

I allready has a login system to my website but this is only "extra" security so it will protect the single file. So only the one who have the password will get access to it.

Cheers

j_70

Are you using a database to store this information? Why not use sessions? Either store them in the database or just store them at the OS level. That way, when someone enters their correct authentication token, you can store their credentials in a session and re-authenticate as necessary.

If you do this at the file level, each time the page is accessed, which would seem to be the case with every action the user takes, this will require them to re-enter their username and password.

fatepower

Yes i want to make it as a session, so the script have knowlage of that the password has allready been entered a time. Then when u quite the script the password will be cleared or it will be cleared after a X number of minutes.

I do not know how to do this, but might maybe someone know here 🙂
I readed the link roscor provided but i do not understand that post. Need more clear guide-lines.

Thanks in advance.

rsmith

When you use sessions the default expiry time is until exit, meaning once the browser is closed, the session data is flushed. This is what I do when I have secure sections such as an admin panel on the sites I build.

I use sessions to store the information for the authenticated user after login. Once the sessions are created I create a condition and set it to 1 for true and 0 for false. If the user information is valid, the sessions are created and the condition is set to 1 with the presence of the sessions. This bit of code is included at the beginning of all pages within my secure area. That way if someone tries to go directly to any page in the area, they are instantly redirected to a login. I'm fairly certain this is what you are trying to accomplish.

fatepower

Yes that is what im searching for. How do i add that into the script/page i posted?
There is allready a password with a if tag and a login with else. You will se up there at the script.

As im not have knowlage of the session can u please provide with some information how i will add it into the file?

Thanks in advance.

Rgs - Fate

roscor

I use sessions on my pages and redirect using a header function if a non-member tries to access those pages, I just redirect to my login page. On all those pages which I want to restrict access i place the following code.

<?php session_start();
if (empty($_SESSION['valid_user'])){
 header("location:https://mysite.com/login.php");
exit();
}
?>

fatepower

Yes thats what im searching for, but i see that u are using a header location. In my code, i want to add it into the same code. The session shall be stored when u have added the correct password, and u should only need to add it once. Please take alook at the script above, its easy to userstand.

Cheers and thansk in advance.

bretticus

fatepower wrote:
Yes thats what im searching for, but i see that u are using a header location. In my code, i want to add it into the same code. The session shall be stored when u have added the correct password, and u should only need to add it once. Please take alook at the script above, its easy to userstand.

Cheers and thanks in advance.

Does your...

err_msg(ERROR,NOT_ADMIN_CP_ACCESS);
stdfoot();

Code include a login form perhaps? How are your users going to log in? The reason roscor redirects the page to login.php is because login.php would contain a login form that, upon posting, would check a database (or whatever "floats your boat") to make sure user credentials were entered properly. Then, it would set the session variable 'valid_user' to anything. At that point, you can take advantage of the

$_SERVER['HTTP_REFERER']

variable to send the page back to the page the user intended to browse. Or you can just store the current page as a session variable for the login page to use:

// page_to_protect.php
if (empty($_SESSION['valid_user'])){
$_SESSION['intended _url'] = $_SERVER['PHP_SELF'];
header("location:https://mysite.com/login.php");
exit();
}

// login.php (excerpt)
header("Location: " $_SESSION['intended _url']);

If the user goes back to your initial page, they will be permitted access (not redirected to the login.php page) since the 'valid_user' session variable will not be empty. roscor's code example is pretty much the standard because it's one if statement that just prevents the code below from running unless a user has successfully logged in.

Of course, if you wanna make this harder, you could always do something like this...

<?php
session_start();

require_once ("include/functions.php");
require_once ("include/config.php");

dbconn(true);

standardheader('PHP Editor');

if (empty($_SESSION['valid_user']))
{  

       err_msg(ERROR,NOT_ADMIN_CP_ACCESS);
       stdfoot();
       exit;
}
else
{
?>
<html>
<head>
<title></title>
</head>
<body topmargin="2" leftmargin="1" bottommargin="0" bgcolor="#F9F9FF">
<?php
if (isset($_GET['bestand'])) {
$bestand = $_GET['bestand']; }
if (isset($_POST['bestand'])) {
$bestand = $_POST['bestand']; }
//...

rsmith

Let me explain my method. Here's my login.php script which authenticates the user.

		<?
			//Get the posted information.
				$username = strtolower(trim($_POST['username']));
				$password = sha1(trim($_POST['password']));

		//If nothing was submitted, quit processing and inform the user.
			if($username == "" || $password == ""){
				echo "Username and/or Password not entered<br />Click <a href='javascript:history.go(-1);'>here</a> to login in.";
			}else{

				//Run the query		
					$query = "SELECT username, password FROM admins WHERE LOWER(username)='".$username."'";
					$result = mysql_query($query);

					$mgr = mysql_fetch_assoc($result);


				//Set the session variables
				if(strtolower($username) === strtolower($mgr['username']) && $password === $mgr['password']){
						$_SESSION['username'] = $username;
						$_SESSION['password'] = $password;
						header("Location: cp.php");
					}else{
						echo "Invalid username and/or password.<br />Click <a href='javascript:history.go(-1);'>here</a> to login in.";
				}
			}		
	?>

As you can see the $SESSION['username'] and $SESSION['password'] are set if the user logged on successfully. Now, at the top of my pages in my cp is this snippet of code:

<?
   //Set condition for LOGGED_IN
        if($_SESSION['username'] && $_SESSION['password']){
			define("LOGGED_IN", 1);
		}

//Check to see if the user is authorized to be here.
	if(LOGGED_IN == 0){
		header("Location: login.php");
	}

?>

Simple enough. I define my condition as being set to true (1) if the $_SESSION variables set in my login script exist, meaning the user has logged in successfuly. 0 means the user is not logged in and redirects them as necessary to keep them out of my secured areas.

fatepower

Thank you for the reply.
The script does yes allready contain a login with cookies information. This login shall only be extra security for that file.

The code that rsmith posted, was a good example. The code shall not have a database access but the username and password shall be tooken directly from the document instead. The thing is to include those 2 code parts into one file. The file is named phpeditor.php and when the admin/moderator has edited the php file finished, he will close the window and the session get cleared.

The session shall just only be setted in that document and just protect that file. The other documents/php files does allread been protected with the other login system, who are using cookies files and a database to store username, password ect...

As my only question is how to example include rsmith code into just one file. The file phpeditor.php as i posted b4.

Cheers and thanks in advance.

rsmith

Just put that snippet of code before all other code in phpeditor.php. But keep in mind that only works for my system, you'd need to adapt it to work for yours.

fatepower

Yes and that is the problem, how???
Just for that file so it will add a session.

The username and password should not be getted from the database, it shall be defined directly into the .php file.
Like:

$LOGIN_INFORMATION = array(
  'test' => 'testpass',
  'admin' => 'passwd'
);

Then the refresh link should be like:

admincp.php?user=".$CURUSER["uid"]."&code=".$CURUSER["random"]?do=phpeditor

Its just how to do it, so it will show the content when u are logged in and when u not are logged in you shall login, and it shall create the session.

Thanks